A recent incident involving a malicious PyPI package serves as a poignant reminder of the vulnerabilities present in open-source software repositories. Initially identified by JFrog's security team, this package was part of an internal security audit and not intended for malicious use, as clarified by the security team that published it. Once reported, the package was swiftly removed by PyPI maintainers, underscoring the importance of vigilance in software security. The package demonstrated a sophisticated attack method, utilizing a pseudorandom domain generation algorithm and multi-stage execution to target corporate and cloud environments specifically. It aimed to exfiltrate sensitive information such as JAMF receipts, CI/CD metadata, and AWS account IDs. The first stage involved retrieving an authentication token from a domain to download a Python-based infostealer payload, which further collected and sent data from the compromised environment back to the malicious domains. Although the attack could run on any machine that installed the package, the third stage was restricted to specific machines due to internal security measures. This incident highlights the critical role of continuous monitoring and rapid response by security teams like JFrog, which has updated its Xray tool to detect such threats and provides a reminder for users to rely on reputable sources when installing packages.